Abebot and TrojanDownloader.xs

Status
Not open for further replies.

rlkscott

Posts: 17   +0
I've been infected with these two things, but McAfee Security is not recognizing them or fixing them for me. I've read other threads on this and it seems very complicated. I am a novice, can anyone help me?

Also, does anybody know what files are compromised with this infection? Do I need to worry about id or bank theft?
 
Hi rlkscott,

Welcome to Techspot!

My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.


This infection is trying to sell you a fake anti-spyware product, you could have other infections that would compromise bank accounts, etc.

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

------------------------------------------------------------------------

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
Here is the Malwarebytes' log and HijackThis log. I actually dowloaded and used the SUPERAntiSpyware program before receiving your reply. I think it took care of some of the issues, but this new scan pulled up some other trojans and fake alerts.

Thanks for all your help!



Malwarebytes' Anti-Malware 1.11
Database version: 704

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 211494
Time elapsed: 1 hour(s), 47 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\services (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Administrator\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2449135306-3499255201-4030148772-1007\Dc151.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
 
Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

-------------------------------------------------------

Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O15 - Trusted Zone: .trymedia.com[/url] (HKLM)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Weatherbug

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\All Users\Application Data\gpwtspmj
C:\Program Files\AWS


After that, Reboot, and post a new HijackThis log here in a reply

===========================

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

=============================

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
I have been out of town and have not been able to attend to your last posting. I will do your above request asap. Thanks for hanging in there with me! I really appreciate your help!
 
Ran the Domains prog. Copied 1/2 of the new HijackThis Report here. Attached the Kaspersk file. I will send another posting with program files I did not recognize in the add/remove list.
 
These files I did not recognize in the Add/Remove programs list, but we may need them. I have no idea. See if you recognize anything suspicious:

Customer Experience Enhancement 12.53 MB
DivX .32MB
Easy internet sign up 2.50MB
High Definition Audio Driver Package KB888111
MSXML 4.0 SP2 KB9327978 2.56MB
MSXML 4.0 SP2 KB936181 2.62MB
Windows Installer 3.1 KB893803
Otto
Pynthon 2.2 pywin32extentions (build 203) 29.28MB
Pynthon 2.2.3 29.28MB
Wild tangent web driver 1.05MB
 
First, can you try to keep everything as attachments and can you rename your kaspersky scan to .txt instead of .doc, I don't like opening doc files from potentially infected machines.

I would uninstall the following:
Otto <- This should be a game but if you don't use it I would remove
Wild tangent

Then delete these folders:
C:\program files\Otto
C:\program files\Wild Tangent


--------------------------------------------------------------------------

Next I want you to get Winpatrol from my signature section and install it. After installed right click the scotty dog Icon in your system tray and select startup info, eliminate some programs from running everytime you start your computer by highlighting them and selecting disable. You will still be able to run these programs but they wont launch every time you turn on the machine. This should improve performance.

We should also clean up some temp files:
Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

-----------------------------------------------------------------------------------
In your next reply you should re attach the kaspersky scan as a .txt file. you can change it by right clicking it and selecting rename
 
Here is the Kaspersky report as a txt as an attachment and the most recent HijackThis file as an attachment. I will delete my previous HijackThis posting. Is there some sort of information in there that shouldn't be posted publicly?

I will tend to your next set of instructions asap.
 
First go back to add/remove programs and uninstall PeoplePC

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32
D:\I386\APPS\APP20088\src\CompaqPresario_Spring06.exe
D:\I386\APPS\APP20088\src\HPPavillion_Spring06.exe

Folder::
C:\Program Files\Online Services\PeoplePC

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
I could not uninstall people pc. It is not listed in the add/remove program list and it does not have an uninstall option in the program folder. The only thing I can do is remove the shortcut. I don't know where the actual program file is.

But I did what you wanted with combofix and hijackthis anyway. However, I'm having trouble attaching the reports to this message. (The attachment icon does not respond when i click on it.) I will try again in a new posting.
 
I still can't attach any files...none of the icons at the top of the reply box are accessible. Am I doing something wrong?
 
You could try going to edit profile on the left of the blue bar above, go down to attachments, then delete all attachments there and try again.

If that doesn't work you may copy and paste the logs into your reply
 
Status
Not open for further replies.
Back